Three things at the
dev-machine layer.
Built today.
Visibility into prompts and completions, tied to identity, agent, and host. Deterministic enforcement on patterns you can name. Cryptographic evidence — exportable to SIEM, SOC 2, and FedRAMP — that the published policy is the one that decided each request.
A clean AI-egress control is three properties at once.
A vendor who sells you one of the three is selling you a piece of an answer.
Prompt + completion + identity
You need to see the request body, who sent it, which agent sent it, which host it left, and which policy version it was decided under.
Deterministic on patterns you can name
A regulated buyer needs a layer that blocks by policy alone — no model in the path, no opinion. The judge is additive; it is not the floor.
Cryptographic, exportable, offline-verifiable
An auditor needs to prove, after the fact, which signed policy decided each request — without re-running Tether or trusting Tether to vouch for itself.
Eight capabilities,
each citation-grade.
Each row is a BUILT or PARTIAL capability from the read-only review. PARTIAL is scoped honestly — what's in production today, what's reserved for the managed VSCodium build.
Loopback-only by default
Connect proxy on 127.0.0.1:11435 — does not require system-wide rerouting.
proxy/main.go:98-103127.0.0.1 by default. Operators can widen via bind_host or TETHER_PROXY_BIND_HOST, but the proxy emits a named startup warning. No root CA is installed on the developer machine. CONNECT tunnels are byte-copied bidirectionally — Tether classifies the destination host and does not decrypt the tunnel.
HTTP_PROXY is not governed.
Deterministic blocklist floor (Tier 0)
Compiled regex over the embedded floor plus operator-promoted patterns.
blocklist.go:138 proxy_core.go:114-117AllowlistPatterns field — a 10-second turnaround once published.
Ed25519-signed policy distribution
Bundles signed in Overwatch, verified by the proxy, ACKed by hostname.
policy-signing.js:122-150 policy_signing.go:171-203{schemaVersion, version, controls, publishedAt} at publish. Each proxy verifies before applying — TOFU-pinned per-tenant public key, fail-closed on mismatch. Monotonic version blocks replay. Policy poll interval is 10 seconds; ACKs include {hostname, version, appliedAt} so Overwatch shows real fleet-adoption state.
Hardware-adaptive local model judge
Four hardware tiers: metal / cuda / cpu-modern / cpu-low. Customer-supplied model.
judge_selector.go:76-93cloud_judge_can_block with a default 800 ms timeout.
Three-tier judge authority
Tier 0 always blocks · Tier 1 sync fail-closed (opt-in) · Tier 2 advisory cannot block.
docs/JUDGE_AUTHORITY.mdSIEM adapters — Splunk HEC · Sentinel · syslog
Splunk HEC, Microsoft Sentinel via HMAC-signed Log Analytics, syslog RFC 5424 UDP.
siem-adapters.js:36dgram. Shared 5-attempt exponential-backoff retry. HMAC-SHA256 outbound webhooks ride the same fan-out infrastructure.
SCIM directory sync via Jackson
HMAC-signed webhook · role-from-groups mapping · full audit trail.
jackson.js:205-291user.created / user.updated / user.deleted map to roles via group name (Overwatch Admins / Overwatch Operators / default viewer; group names are env-configurable). Every provision and deprovision lands in the audit trail.
Device posture export — four formats
Tether-native JSON · Okta Device Trust · Microsoft Graph managedDevice · CSV.
posture-export.js:217-228GET /api/v1/devices/posture/export in tether, okta, entra, or csv formats, with ?compliantOnly= and ?since= filters. The Okta envelope plugs into Device Trust attestation. The Entra shape mirrors GET /deviceManagement/managedDevices with the extensions.aiSecurityPosture namespace.
Reproducible enforcement attestation
X-Tether-Policy-Version on every response · auditors verify offline.
X-Tether-Policy-Version. Every event and judge review stamps the active policyVersion. GET /api/v1/policy/versions/<version> returns the signed bundle. An auditor runs Ed25519 verification offline (openssl pkeyutl -verify) against the controls in force.
Clipboard, downloads, external links
— shipping in the managed VSCodium build.
The workspace daemon is in production and produces the right decision plus a WORKSPACE_COACHED audit on every fire. The IDE-side enforcement seam lives in the managed VSCodium artifact, which post-dates the Connect tier.
- · Daemon decisions and audit. Clipboard / downloads / external links / screen capture / coach mode all return correct decisions and emit events.
- · VS Code extension. Shipped. Tier-2 env injection (opt-in), SCIM identity sync, agent inventory.
- · MCP
tether_may_i_*tools. Voluntary surface for cooperative agents —needs_approvalrides the JIT queue.
- · Managed VSCodium artifact. Signed installer for macOS / Windows / Linux. 4-8 engineering weeks of signing infrastructure away.
- · Cursor and JetBrains. VS Code shipped. Cursor and JetBrains extensions on the 90-day roadmap.
- · Per-request attestation hardening. Tamper-evident per-version bundle retention. Today: append-only
policy-audit.jsonl. SQLite-backed durable stores post-GA.
Just-in-time access requests.
From the developer's IDE to the operator's queue.
JIT fires when a workspace axis (clipboard, downloads, external links, screen capture) is set to request mode. The daemon pauses the action and posts to Overwatch; the operator decides.
Trigger. The workspace daemon's policy axis (e.g., clipboard.mode) is set to request. The action does not run until a decision is returned.
Operator decides. Request lands in /access-requests in the Overwatch console. Default SLA is a 5-minute TTL per PILOT.md; tunable per axis.
Timeout. Behavior on expiry is configurable per axis — block, allow, or fall through to coach (advisory). The daemon emits an audit event either way.
MCP path. Cooperative agents that speak the MCP tether_may_i_* surface can escalate the same way — the needs_approval result rides the JIT queue and the operator UI is the same.
See the operator-decides beat on the demo page for the rendered console view.
"What about Cursor?"
Coverage depends on whether the tool honors a base-URL override. Three tiers; honest about each.
| Tool | Architecture | Best tier today | What we see | Honest gap |
|---|---|---|---|---|
| Claude Code | Anthropic CLI, Node.js | Tier B (configured-upstream) | Full prompt + response stream, tool-use blocks, file attachments | MCP servers need their own coverage |
| OpenAI Codex CLI | OpenAI CLI | Tier B | Full prompt, response, tool calls | Non-OpenAI provider configs need local prefix |
| Aider | Open-source Python CLI | Tier B | Full prompt, response, every file attached, every diff applied | None at Tier B |
| Zed | Native Rust editor | Tier B | Full prompt, response, file context | Custom provider added after install drops to Tier A until re-sync |
| VS Code + Continue / Copilot | VS Code extension | Tier A on Copilot · Tier B on Continue | Copilot: vendor + identity. Continue: full content | Copilot's prompt path is opaque — Tier A is the honest claim |
| Cursor | Closed-source VS Code fork | Tier B on BYOK · Tier A on default flow | BYOK: full content. Default: vendor + identity | Default flow on unmanaged devices: prompt content not visible |
| Browser-only (ChatGPT.com) | Web app | — | Network destination via your existing CASB | Not in Tether's scope. Browser extension on roadmap; not shipping today |
Full per-tool detail lives in the current AI-tool coverage matrix on master. Bring the two tools your developers actually use; we will walk you through what Tether sees on each.
Bring two tools.
We'll show you both tiers.
Bring the AI tool your developers use most and one you're considering. We'll show you what Tether sees on each — and what it doesn't.